which outgoing traffic does the captive portal block, when the user did not authenticate yet?only the http/https-traffic, or more? that means, which services can the users use, without being authenticated over the captive portal?

when all traffic is blocked, will VPN-tunnels work through the captive portal?

The default configuration of the Captive Portal blocks any type of traffic if the user is not authenticated yet.
If you want to configure some udp/tcp services to be accessed without authentication, you just have to add such services in the
[Free Authorized Services] list in the section [Captive Portal]->[Gateway].
You can specify for every service the port, the protocol (tcp or udp) and the IP of the server that provides the service. In the field “IP” you can put the word “ANY” to authorize any server that provides the service.

The procedure to authorize the VPN depends on the type of Virtual Private Network:
– if you use an UDP/TCP encapsulated VPN such as OpenVPN or IPSec with NAT-T (UDP 4500 and 500) , you can use the [Free Authorized Service] as described above;

– if you want to authorize IPSec or PPTP you need to add some rules in the FORWARD chain of the firewall with target ACCEPT. For the PPtP VPN you need to authorize the GRE tunnel and the port 1723 tcp in the firewall.